runtime-rs: Support initdata within NonProtection scenarios

we also need support initdat within nonprotection even though the platform is detected as NonProtection or usually is called nontee host. Within these cases, there's no need to validate the item of `confidential_guest=true`, we believe the result of the method `available_guest_protection()?`. Fixes #11697 Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-08-26 11:39:29 +00:00 · 2025-08-19 20:20:56 +08:00 · 2025-08-19 20:20:56 +08:00 · 5cc028a8b1
commit 5cc028a8b1
parent b7d2973ce5
1 changed files with 4 additions and 4 deletions
--- a/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs
+++ b/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs
@ -374,10 +374,6 @@ impl VirtSandbox {
        hypervisor_config: &HypervisorConfig,
        init_data: Option<String>,
    ) -> Result<Option<ProtectionDeviceConfig>> {
-        if !hypervisor_config.security_info.confidential_guest {
-            return Ok(None);
-        }
-
        let available_protection = available_guest_protection()?;
        info!(
            sl!(),
@ -429,6 +425,7 @@ impl VirtSandbox {
                    debug: false,
                })))
            },
+            GuestProtection::NoProtection => Ok(None),
            _ => Err(anyhow!("confidential_guest requested by configuration but no supported protection available"))
        }
    }
@ -453,6 +450,9 @@ impl VirtSandbox {
                calculate_initdata_digest(&initdata, ProtectedPlatform::Snp)?
            }
            GuestProtection::Se => calculate_initdata_digest(&initdata, ProtectedPlatform::Se)?,
+            GuestProtection::NoProtection => {
+                calculate_initdata_digest(&initdata, ProtectedPlatform::NoProtection)?
+            }
            // TODO: there's more `GuestProtection` types to be supported.
            _ => return Ok(None),
        };